Security Governance, Risk and Compliance Manager
Brackley (Hybrid)
At the Mercedes-AMG Petronas Formula One Team, a group of passionate and determined people work to design, develop, manufacture and race the cars driven by seven-time World Champion Lewis Hamilton and Grand Prix winner George Russell.
The Team has set a new benchmark for Formula One success during the sport’s current Hybrid era, winning consecutive Drivers’ and Constructors’ World Championships in 2014, 2015, 2016, 2017, 2018, 2019 and 2020, and the Constructors’ Championship in 2021.
Whether working in our Operations, Technical, Race or Business Support functions, we are all in and aspire to build the greatest team in the history of our sport.
Every individual plays their part. No stone is left unturned in the chase for every tenth of a second. The history of our sport is long and rich, and we are continuing our journey with renewed effort year on year. Record books remember the names of a few, but history is written by the many.
About the Role:
We are seeking a Security Governance, Risk and Compliance Manager to join our Information security team within an expanding and dynamic IT team. This role will develop and nurture our governance, risk, and compliance initiative in information security. We're looking for somebody who understands what attackers do, how they do it, and how we can stop them. We need somebody who can take that understanding, and build an appropriate Governance, Risk and Compliance (GRC) programme for our team. This role is more than writing policies. It's about understanding our risk, creating pragmatic and realistic policies to address them, and then driving compliance with those policies and measuring progress.
The ideal candidate will be as comfortable talking about reverse shells as they are scripting with an API to gather compliance data as they are drafting a security policy. It's a varied role, but will play a major part in developing security for our team. The role sits within IT, and reports to the Head of Information Security with the option for limited hybrid working.
In the role, you will:
-
Collaborate with stakeholders in IT and the business to understand and address security opportunities, assess our risk, and facilitate compliance with requirements.
-
Create a security policy suite which is appropriate for our team and effectively manages our risk.
-
Drive compliance with policies through pragmatic and credible engagement with technical teams.
-
Measure our compliance effectively. We’re not about lengthy spreadsheets with RAG (red, amber, green) statuses and obscure and ineffective key risk indicators.
-
Prioritise effectively. We work under the F1 cost cap. Anything we spend on security is money away from our car, so prioritisation is key. This doesn't mean we don't invest, but we have to prioritise effectively. There's no room for security theatre or wasted investments.
-
Preparing data for our regular IT operations and leadership meetings, as well as for consumption by our information security steering group.
-
Run security awareness campaigns to communicate policies, as well as run regular phishing simulations.
-
Own our third party security programme.
To be successful you will have:
-
Good knowledge of attacker tactics, techniques, and procedures is required, as well as a desire to learn more about them. It's not a deal breaker if you don't have this, but you should be prepared to learn.
-
Experience of working in a GRC role, ideally in a regulated industry such as finance. You should also have experience of compliance with Cyber Essentials and/or ISO27001.
-
Not scared of getting hands-on with technology. For example, if we can automate our measurement of compliance through data via APIs then you should be comfortable scripting this. If you don't have this, we can provide training.
-
Strong technical fluency. You should already have a good technical foundation in technologies such as Active Directory and EntraID, and be comfortable reading documentation and understanding systems.
-
Strong written and verbal communication skills. We want our policies and risk management to be visible, understood, and respected. A large part of this role will be communicating with colleagues and helping drive compliance in a pragmatic way.
And any of the following desirable skills:
-
A security management qualification such as CISSP, CRISC, or CISM.
-
ISO27001 qualifications such as ISMS foundation, internal auditor, or lead implementor.
-
Experience with Crowdstrike tooling. Crowdstrike are a key partner of our team, and we leverage a number of their tools. If you don't have experience with Crowdstrike, we'll provide training.
-
Experience with Microsoft security products.
-
Experience and/or certifications in offensive security, such as OSCP or eCPPT, or experience on platforms such as HackTheBox or TryHackMe.
The selection process:
-
Initial Teams interview with the Head of Information Security.
-
A visit to our factory in Brackley for your second interview where you will also meet colleagues in the IT department.
Benefits:
Our riverside campus is powered by 100% renewably sourced energy and features an on-site gym and exercise studio, subsidised restaurant and on-site parking with EV chargers available.
We offer a competitive and attractive package of benefits including a generous bonus scheme, Mercedes car lease scheme, private medical cover, life assurance and 25 days holiday. We pride ourselves on our family-friendly environment, employee well-being programme and offer flexible working opportunities.
Why us:
At the heart of our performance are our people. Every member of our team has a voice and plays their part in contributing to our successes on and off the racetrack. We take pride in creating an innovative, collaborative and high-performance culture where all of our team members are respected, empowered and valued.
Through our Accelerate 25 programme, we are continuously working to make our team even more diverse and inclusive. Whatever your background, we believe that you will find working with us rewarding and enriching.
Your application:
We will ask you to complete a questionnaire as well as submitting a cover letter and CV. Please submit your CV and cover letter as one PDF document.